Detailed explanation of how Go can quickly implement driver layer traffic packet capture

This article brings you relevant knowledge about golang. It mainly talks about how to implement driver layer traffic packet capture in golang. Friends who are interested should take a look at it. I hope it will be helpful to everyone.

1. Driver packet capture

We can use Fiddler, Httpdebugger, Charles and other tools to capture packets at the application layer. If we need to obtain data from lower-level network cards, there is no way. To achieve this, we need to use Google’s gopacket package.

2. Encountering problems

gopacket has rich documentation. I won’t go into details on how to use it here. There is a prerequisite for using gopacket: Npcap needs to be installed in advance on Linux. On Windows, you need to install Winpcap in advance, otherwise it cannot be used, and it will prompt that the relevant dynamic link library is missing. This is not very friendly to some people with mysophobia. They do not want to install extra software. We will come back later. Research how to solve this problem.

3. Try to solve the problem

First of all, we don’t install any tools. Take a look at the error message. I am using a Windows system here:

couldn't load wpcap.dll

Prompt We did not find wpcap.dll, which is easy to understand. We did not. Let’s first take a look at the loading order of dll in the system:

EXE所在目录
    ↓
当前目录GetCurrentDirectory()；
    ↓
系统目录GetSystemDirectory()；
    ↓
WINDOWS目录GetWindowsDirectory()；
    ↓
环境变量PATH所包含的目录。

The solution is very simple, download a wpcap.dll and put it in Wouldn't it be enough to go to the directory where the exe is located, but it turns out that this doesn't work, and it still prompts that the link library is not found. Then, I called some Windows interfaces and manually set the dll directory:

package main

import (
    "fmt"
    "github.com/google/gopacket/pcap"
    "golang.org/x/sys/windows"
    "os"
    "path/filepath"
    "unsafe"
)

func main() {
    kernel32, err := windows.LoadDLL("kernel32.dll")
    if err != nil {
        fmt.Println(err.Error())
        return
    }
    proc, err := kernel32.FindProc("AddDllDirectory")
    if err != nil {
        fmt.Println(err.Error())
        return
    }
    // 获取绝对路径
    absolute,err := os.Executable()
    if err != nil {
        fmt.Println(err.Error())
        return
    }
    absolute = filepath.Join(absolute,"../")
    utf16Ptr, err := windows.UTF16FromString(absolute)
    if err != nil {
        fmt.Println(err.Error())
        return
    }
    r1, r2, err := proc.Call(uintptr(unsafe.Pointer(&utf16Ptr[0])))
    fmt.Println(r1, r2, err)
    version := pcap.Version()
    fmt.Println(version)
}

The result was that the link library was still not found. At this point, all the methods we could use failed. There are similar problems on Google, but no one can give a solution. They all ask us to install Winpcap. There seems to be no solution to the problem.

4. Solution

Use dependency to view internal dependencies

After struggling for a few hours, I found Got a solution:

• Copy wpcap.dll to the system32 directory

• Copy packet.dll to the system32 directory

• Copy the npf.sys driver to the drivers directory under system32

Now you don’t need to install any software to call gopacket

fmt.Println(pcap.Version())

Output

WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)

[Related recommendations: Go video tutorial]

The above is the detailed content of Detailed explanation of how Go can quickly implement driver layer traffic packet capture. For more information, please follow other related articles on the PHP Chinese website!